Azure / azure-webjobs-sdk

Azure WebJobs SDK
MIT License
738 stars 358 forks source link

Ability to authenticate to Storage using TokenCredential instead of Connection String #2984

Open stephajn opened 1 year ago

stephajn commented 1 year ago

It has recently been brought to light that using Shared Access Keys is not secure and carries with it security risks. Rather than having to rely on a connection string for AzureWebJobsStorage, it would be really great it we could instead specify a TokenCredential that we want to use along with an account name in WebJobs SDK to connect to Azure Storage.

Expected behavior

Connection Strings shouldn't be the only way to connect to storage for triggers and other storage needs

Actual behavior

We are stuck using a connection string no matter what if we want to use the WebJobs SDK.

Related information

The Azure.Storage.* NuGet packages all are able to have clients that authenticate using TokenCredentials instead of service connection strings; shouldn't the WebJobs SDK have the same capability?

If it does and it just isn't obvious, then we need some guidance in the documentation about how to enable this.

Edited to add the following: I am specifically referring to Azure WebJobs, and NOT Azure Functions.

yescorp commented 4 months ago

Are there any updates on this? I am searching the documentation about how to configure access with TokenCredential but didn't find anything related to it.

Everywhere either ConnectionString or MSI is used.